Yesterday I found few vulnerabilities in latest version of Concrete5 CMS.
I will publish here more information soon.
- sql injection;
- cross-site scripting;
- information disclosure;
For last two of them registered user is able to attack.
For sql injection (for now ;) ) only admin can trigger this issue (anyway it could be available via XSS).
If You need more information before I public it, let me know.